Talk:DomainKeys Identified Mail: Difference between revisions
Jump to navigation
Jump to search
imported>Howard C. Berkowitz |
Pat Palmer (talk | contribs) m (Text replacement - "U.S. Democratic Party" to "Democratic Party (United States)") |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 7: | Line 7: | ||
:Careful there Howard, we're trying to be neutral. :>) This is one of those articles likely to bring some partisans to the discussion. The closer we get to specific methods, the more controversy we can expect. --[[User:David MacQuigg|David MacQuigg]] 17:16, 12 October 2009 (UTC) | :Careful there Howard, we're trying to be neutral. :>) This is one of those articles likely to bring some partisans to the discussion. The closer we get to specific methods, the more controversy we can expect. --[[User:David MacQuigg|David MacQuigg]] 17:16, 12 October 2009 (UTC) | ||
::I actually don't know the first thing about this method. But let's think about Donkey Identification. Wouldn't it be an appropriate certification that something is indeed approved by the [[ | ::I actually don't know the first thing about this method. But let's think about Donkey Identification. Wouldn't it be an appropriate certification that something is indeed approved by the [[Democratic Party (United States)]]? Couldn't we have Elephant Identified Mail? [[User:Howard C. Berkowitz|Howard C. Berkowitz]] 19:08, 12 October 2009 (UTC) | ||
==More seriously== | ==More seriously== | ||
The description confuses me a bit. Isn't [[DNS security]] a subset of [[public key infrastructure]], not an alternative? Yes, the primary purpose is to validate the domain information, but one can still get a certificate through DNSSEC, I thought. [[User:Howard C. Berkowitz|Howard C. Berkowitz]] 19:11, 12 October 2009 (UTC) | The description confuses me a bit. Isn't [[DNS security]] a subset of [[public key infrastructure]], not an alternative? Yes, the primary purpose is to validate the domain information, but one can still get a certificate through DNSSEC, I thought. [[User:Howard C. Berkowitz|Howard C. Berkowitz]] 19:11, 12 October 2009 (UTC) | ||
:There is a debate going on right now on the merits of DNSSEC instead of the current PKI to distribute public keys. See the posts by Lauren Price at http://www.circleid.com/posts/an_authenticated_internet and Howard Eland at http://www.circleid.com/posts/securing_a_domain_ssl_vs_dnssec. The gist of the argument for DNSSEC is that we can piggyback on a delegation structure already in place and guarded with rigor. If the masters of .org certify a pubic key for mydomain.org, we can trust them. We can't trust the existing PKI used in web browsing, because users don't take it seriously when they see a certificate is not trusted, they just click on through. The result has been a lack of discipline by legitimate wehsites in keeping their certificates valid. Better to stash our public keys in DNS. If that ever breaks, the whole Internet will come down. | |||
:As for making DNS security a subtopic of public keys, I would say might be the other way around. If you look at the spectrum of DNS security threats (e.g. Table 10.1 in "Pro DNS and BIND" by Ron Aitchison (best book on DNS in my opinion)), you see that DNSSEC is listed as a solution for only two of the five categories.<br />--[[User:David MacQuigg|David MacQuigg]] 21:21, 12 October 2009 (UTC) | |||
::Having made the above typo myself, in live presentations, I will simply say that only if and when a .xxx TLD is approved, will pubic keys be appropriate. They are not for .org, your example. :-) | |||
::Again returning to moderate sanity, I oversimplified when I suggested any hierarchical relationship among DNSSEC and PKI. I don't necessarily assume the X.509 model defines PKI; it describes a hierarchical certificate structure. PGP describes a distributed trust structure. | |||
::It's ironic that a great many .mil public sites show untrusted certificates. I will click through knowing they do it and are monitored, but it's annoying. | |||
::Sounds like I should start visiting CircleID again. [[User:Howard C. Berkowitz|Howard C. Berkowitz]] 21:44, 12 October 2009 (UTC) | |||
:::Is that a default DNS TTL or fixed? I'm not always convinced that the ability to use a cache is worth it when it comes to security. [[User:Howard C. Berkowitz|Howard C. Berkowitz]] 21:04, 14 October 2009 (UTC) |
Latest revision as of 13:51, 20 March 2023
Don't mind me...
But every time I see this title, my brain initially processes it as "Donkey Identified Mail." Howard C. Berkowitz 17:03, 12 October 2009 (UTC)
- Careful there Howard, we're trying to be neutral. :>) This is one of those articles likely to bring some partisans to the discussion. The closer we get to specific methods, the more controversy we can expect. --David MacQuigg 17:16, 12 October 2009 (UTC)
- I actually don't know the first thing about this method. But let's think about Donkey Identification. Wouldn't it be an appropriate certification that something is indeed approved by the Democratic Party (United States)? Couldn't we have Elephant Identified Mail? Howard C. Berkowitz 19:08, 12 October 2009 (UTC)
More seriously
The description confuses me a bit. Isn't DNS security a subset of public key infrastructure, not an alternative? Yes, the primary purpose is to validate the domain information, but one can still get a certificate through DNSSEC, I thought. Howard C. Berkowitz 19:11, 12 October 2009 (UTC)
- There is a debate going on right now on the merits of DNSSEC instead of the current PKI to distribute public keys. See the posts by Lauren Price at http://www.circleid.com/posts/an_authenticated_internet and Howard Eland at http://www.circleid.com/posts/securing_a_domain_ssl_vs_dnssec. The gist of the argument for DNSSEC is that we can piggyback on a delegation structure already in place and guarded with rigor. If the masters of .org certify a pubic key for mydomain.org, we can trust them. We can't trust the existing PKI used in web browsing, because users don't take it seriously when they see a certificate is not trusted, they just click on through. The result has been a lack of discipline by legitimate wehsites in keeping their certificates valid. Better to stash our public keys in DNS. If that ever breaks, the whole Internet will come down.
- As for making DNS security a subtopic of public keys, I would say might be the other way around. If you look at the spectrum of DNS security threats (e.g. Table 10.1 in "Pro DNS and BIND" by Ron Aitchison (best book on DNS in my opinion)), you see that DNSSEC is listed as a solution for only two of the five categories.
--David MacQuigg 21:21, 12 October 2009 (UTC)
- Having made the above typo myself, in live presentations, I will simply say that only if and when a .xxx TLD is approved, will pubic keys be appropriate. They are not for .org, your example. :-)
- Again returning to moderate sanity, I oversimplified when I suggested any hierarchical relationship among DNSSEC and PKI. I don't necessarily assume the X.509 model defines PKI; it describes a hierarchical certificate structure. PGP describes a distributed trust structure.
- It's ironic that a great many .mil public sites show untrusted certificates. I will click through knowing they do it and are monitored, but it's annoying.
- Sounds like I should start visiting CircleID again. Howard C. Berkowitz 21:44, 12 October 2009 (UTC)
- Is that a default DNS TTL or fixed? I'm not always convinced that the ability to use a cache is worth it when it comes to security. Howard C. Berkowitz 21:04, 14 October 2009 (UTC)